Supported Formats
Inputs
Signing Key
Supported signature formats through the signature key parameter:
| Encryption | Format | Supported |
|---|---|---|
| ECDSA 256 | PEM | ✅ |
| ECDSA 384 | PEM | ✅ |
| RSA 1024 | PEM | ✅ |
| RSA 2048 | PEM | ✅ |
| RSA 4096 | PEM | ✅ |
| ED25519 | PEM | ✅ |
Artifact Digest
Supported digest algorithms through the Subjects parameter:
| Algorithm | Supported |
|---|---|
| SHA 256 | ✅ |
Outputs
SLSA Provenance
To trace software back to the source and define the moving parts in a complex supply chain, provenance needs to be there from the very beginning. It’s the verifiable information about software artifacts describing where, when, and how something was produced. For higher SLSA levels and more resilient integrity guarantees, provenance requirements are stricter and need a deeper, more technical understanding of the predicate.
| Standard | Supported | Specification URL |
|---|---|---|
| v1 | ✅ | https://slsa.dev/provenance/v1 |
In-toto Attestation
The in-toto Attestation Framework provides a specification for generating verifiable claims about any aspect of how a piece of software is produced. Consumers or users of the software can then validate the origins of the software and establish trust in its supply chain using in-toto attestations.
| Standard | Supported | Specification URL |
|---|---|---|
| v1 | ✅ | https://in-toto.io/Statement/v1 |
DSSE Envelope
The Envelope is the outermost layer of the attestation, handling authentication, and serialization.
| Standard | Supported | Specification URL |
|---|---|---|
| DSSE v1 | ✅ | https://github.com/secure-systems-lab/dsse |